[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-users
Subject: Re: [strongSwan] Traffic in a Hub and Spoke setup not forwarded
From: Martin Sand <dborn () gmx ! net>
Date: 2017-08-29 17:10:28
Message-ID: 4865f627-94f5-44a9-e2d5-08b1445100ae () gmx ! net
[Download RAW message or body]
Hi Noel & all
Sorry for the late reply. I was trying to find a solution on sporadic
weekends without messing up my actual configuration.
The MASQUERADE rule did it. I wanted to share the solution with the
list. The most simple solution of my /etc/firewall.user looks like
this. The last entry made it working.
---------
### IPSec VPN
iptables -A input_rule -p esp -j ACCEPT
iptables -A input_rule -p udp --dport 500 -j ACCEPT
iptables -A input_rule -p udp --dport 4500 -j ACCEPT
iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
---------
At the end I did no change the MTU. Here is a tracepath output, seems to
work out-of-the-box.
[user@location1 ~]$ tracepath location2
1?: [LOCALHOST] pmtu 1500
1: router-location1 3.075ms
1: router-location1 3.221ms
2: router-location1 2.881ms pmtu 1422
2: no reply
3: router-location2 47.577ms
4: location2 48.414ms reached
Resume: pmtu 1422 hops 4 back 4
Best regards
Martin
On 02/25/2017 12:06 AM, Noel Kuntze wrote:
> There's the MASQUERADE rule that breaks some part of the tunnel:
> > -A zone_wan_postrouting -j MASQUERADE
>
> This can be problematic, too. Read the article about MSS and MTU[1] and this \
> article[2].
> > -A mssfix -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan \
> > (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
>
> You're also not accepting ESP or IKE traffic! You NEED to allow those packets.
> UDP port 500, 4500 and the protocol ESP.
>
> Rest looks okay though, besides the problem that the openwrt firewall doesn't play \
> nice with IPsec.
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#MTUMSS-issues
> This website has nothing to do with the project though!
> [2] https://strongswan.net/blog/how-to-resolve-mtu-issue-with-ipsec-tunnel/
>
>
> On 24.02.2017 23:59, Martin Sand wrote:
> > Sure, please find enclosed the requested files.
> >
> > Best regards/Viele GrĂ¼sse
> > Martin
> >
> >
> > On 02/24/2017 11:52 PM, Noel Kuntze wrote:
> > > Of course not. This is not a problem with the routing table.
> > > Please make sure you understand exactly what's going on before
> > > attempting to solve problems. Other technology might not
> > > be as forgiving as this.
> > >
> > > The problem is probably that your security policies don't allow
> > > the forwarding of the traffic or you have SNAT/MASQUERADE (or other)
> > > iptables rules that either change addresses so the traffic doesn't
> > > match the policies anymore or outright drop it.
> > >
> > > Please provide a paste of the output of `ipsec statusall`
> > > and `iptables-save`.
> > >
> > >
> > >
> > > On 24.02.2017 23:49, Martin Sand wrote:
> > > > Hi all
> > > >
> > > > After some time I began to investigate again.
> > > > I think the problem is that my strongSwan router is behind a modem (another \
> > > > router) which I cannot set to bridge modus. The modem is NATing the traffic.
> > > >
> > > > Routing table 220 shows the problem.
> > > > The traffic is sent to the modem (192.168.0.1), connected to the internet and \
> > > > my strongSwan vpn router (192.168.2.1). The modem is also the default \
> > > > gateway.
> > > > root@OpenWrt:~# ip route show table 220
> > > > 192.168.1.0/24 via 192.168.0.1 dev eth0 proto static src 192.168.2.1
> > > > 192.168.3.0/24 via 192.168.0.1 dev eth0 proto static src 192.168.2.1
> > > >
> > > > I tried to get around the problem by setting the via route to the external IP \
> > > > of my modem (134.100.110.120). But this does not work:
> > > >
> > > > root@OpenWrt:~# ip r c table 220 192.168.1.0/24 via 134.100.110.120 dev eth0 \
> > > > proto static src 192.168.2.1 RTNETLINK answers: Network is unreachable
> > > >
> > > > Any ideas on how to solve the issue?
> > > >
> > > > Best regards
> > > > Martin
> > > >
> > > > On 11/08/2016 08:46 PM, Martin Sand wrote:
> > > > > Hi all
> > > > >
> > > > > I have a Hub and Spoke setup:
> > > > > * Central server 192.168.0.1
> > > > > * Router 1: 192.168.1.1
> > > > > * Router 2: 192.168.2.1
> > > > >
> > > > > I cannot reach the computers on the other side of the network although \
> > > > > tunnel is established. Do I miss an iptable or route information?
> > > > >
> > > > > Output from 192.168.1.100 when trying to reach a computer on the other \
> > > > > network (192.168.2.100): [user@workstation ~]$ tracepath 192.168.2.100
> > > > > 1?: [LOCALHOST] pmtu 1500
> > > > > 1: router-1 0.475ms
> > > > > 1: router-1 0.445ms
> > > > > 2: no reply
> > > > >
> > > > > Output of route on Router 1 (192.168.1.1):
> > > > > 192.168.2.0/24 via 80.10.10.1 dev eth0 proto static src 192.168.1.1
> > > > >
> > > > > Output of route on Router 2 (192.168.2.1):
> > > > > 192.168.1.0/24 via 192.168.0.1 dev eth0 proto static src 192.168.2.1
> > > > >
> > > > > Any ideas on what is going wrong? Maybe because one router shows the \
> > > > > external IP of the Hub instead of the internal one?
> > > > > Best regards
> > > > > Martin
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Users mailing list
> > > > > Users@lists.strongswan.org
> > > > > https://lists.strongswan.org/mailman/listinfo/users
> > > >
> > > > _______________________________________________
> > > > Users mailing list
> > > > Users@lists.strongswan.org
> > > > https://lists.strongswan.org/mailman/listinfo/users
> > > >
> >
> >
> > ipsec_statusall.txt
> >
> >
> > Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.18.20, mips):
> > uptime: 24 minutes, since Feb 24 23:30:27 2017
> > malloc: sbrk 151552, mmap 0, used 139840, free 11712
> > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5
> > loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation \
> > constraints pubkey pkcs1 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr \
> > kernel-netlink resolve socket-default stroke updown xauth-generic Listening IP \
> > addresses: 192.168.0.31
> > 192.168.2.1
> > Connections:
> > vpn-mann: %any...vpn.example.de IKEv2, dpddelay=30s
> > vpn-mann: local: [C=DE, O=StrongSwan, CN=mann] uses public key authentication
> > vpn-mann: cert: "C=DE, O=StrongSwan, CN=mann"
> > vpn-mann: remote: [vpn.example.de] uses public key authentication
> > vpn-mann: cert: "C=DE, O=StrongSwan, CN=vpn.example.de"
> > vpn-mann: child: 192.168.2.0/24 === 192.168.1.0/24 192.168.3.0/24 PASS, \
> > dpdaction=restart Security Associations (1 up, 0 connecting):
> > vpn-mann[1]: ESTABLISHED 23 minutes ago, 192.168.0.31[C=DE, O=StrongSwan, \
> > CN=mann]...200.200.8.224[vpn.example.de] vpn-mann[1]: IKEv2 SPIs: \
> > a2b57fe98a312245_i* 484d1d053cc36aaa_r, public key reauthentication in 28 minutes \
> > vpn-mann[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 \
> > vpn-mann{4}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c5f28034_i c535472d_o \
> > vpn-mann{4}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 5 \
> > minutes vpn-mann{4}: 192.168.2.0/24 === 192.168.1.0/24 192.168.3.0/24
> > vpn-mann{5}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cca10f29_i cd435e9e_o
> > vpn-mann{5}: AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 6 \
> > minutes vpn-mann{5}: 192.168.2.0/24 === 192.168.1.0/24 192.168.3.0/24
> >
> >
> > iptables_save.txt
> >
> >
> > # Generated by iptables-save v1.4.21 on Fri Feb 24 23:54:03 2017
> > *nat
> > > PREROUTING ACCEPT [94139:25693304]
> > > INPUT ACCEPT [23929:1678867]
> > > OUTPUT ACCEPT [24490:1838326]
> > > POSTROUTING ACCEPT [529:103136]
> > > delegate_postrouting - [0:0]
> > > delegate_prerouting - [0:0]
> > > postrouting_lan_rule - [0:0]
> > > postrouting_rule - [0:0]
> > > postrouting_wan_rule - [0:0]
> > > prerouting_lan_rule - [0:0]
> > > prerouting_rule - [0:0]
> > > prerouting_wan_rule - [0:0]
> > > zone_lan_postrouting - [0:0]
> > > zone_lan_prerouting - [0:0]
> > > zone_wan_postrouting - [0:0]
> > > zone_wan_prerouting - [0:0]
> > -A PREROUTING -j delegate_prerouting
> > -A POSTROUTING -j delegate_postrouting
> > -A delegate_postrouting -m comment --comment "user chain for postrouting" -j \
> > postrouting_rule
> > -A delegate_postrouting -o br-lan -j zone_lan_postrouting
> > -A delegate_postrouting -o eth0 -j zone_wan_postrouting
> > -A delegate_prerouting -m comment --comment "user chain for prerouting" -j \
> > prerouting_rule
> > -A delegate_prerouting -i br-lan -j zone_lan_prerouting
> > -A delegate_prerouting -i eth0 -j zone_wan_prerouting
> > -A zone_lan_postrouting -m comment --comment "user chain for postrouting" -j \
> > postrouting_lan_rule
> > -A zone_lan_prerouting -m comment --comment "user chain for prerouting" -j \
> > prerouting_lan_rule
> > -A zone_wan_postrouting -m comment --comment "user chain for postrouting" -j \
> > postrouting_wan_rule
> > -A zone_wan_postrouting -j MASQUERADE
> > -A zone_wan_prerouting -m comment --comment "user chain for prerouting" -j \
> > prerouting_wan_rule COMMIT
> > # Completed on Fri Feb 24 23:54:03 2017
> > # Generated by iptables-save v1.4.21 on Fri Feb 24 23:54:03 2017
> > *raw
> > > PREROUTING ACCEPT [30562873:27538250738]
> > > OUTPUT ACCEPT [92351:9943384]
> > > delegate_notrack - [0:0]
> > -A PREROUTING -j delegate_notrack
> > COMMIT
> > # Completed on Fri Feb 24 23:54:03 2017
> > # Generated by iptables-save v1.4.21 on Fri Feb 24 23:54:03 2017
> > *mangle
> > > PREROUTING ACCEPT [30562873:27538250738]
> > > INPUT ACCEPT [86788:8751557]
> > > FORWARD ACCEPT [30431248:27507406630]
> > > OUTPUT ACCEPT [92351:9943384]
> > > POSTROUTING ACCEPT [30523601:27517350687]
> > > fwmark - [0:0]
> > > mssfix - [0:0]
> > -A PREROUTING -j fwmark
> > -A FORWARD -j mssfix
> > -A mssfix -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan \
> > (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu COMMIT
> > # Completed on Fri Feb 24 23:54:03 2017
> > # Generated by iptables-save v1.4.21 on Fri Feb 24 23:54:03 2017
> > *filter
> > > INPUT ACCEPT [0:0]
> > > FORWARD DROP [0:0]
> > > OUTPUT ACCEPT [0:0]
> > > delegate_forward - [0:0]
> > > delegate_input - [0:0]
> > > delegate_output - [0:0]
> > > forwarding_lan_rule - [0:0]
> > > forwarding_rule - [0:0]
> > > forwarding_wan_rule - [0:0]
> > > input_lan_rule - [0:0]
> > > input_rule - [0:0]
> > > input_wan_rule - [0:0]
> > > output_lan_rule - [0:0]
> > > output_rule - [0:0]
> > > output_wan_rule - [0:0]
> > > reject - [0:0]
> > > syn_flood - [0:0]
> > > zone_lan_dest_ACCEPT - [0:0]
> > > zone_lan_forward - [0:0]
> > > zone_lan_input - [0:0]
> > > zone_lan_output - [0:0]
> > > zone_lan_src_ACCEPT - [0:0]
> > > zone_wan_dest_ACCEPT - [0:0]
> > > zone_wan_dest_REJECT - [0:0]
> > > zone_wan_forward - [0:0]
> > > zone_wan_input - [0:0]
> > > zone_wan_output - [0:0]
> > > zone_wan_src_REJECT - [0:0]
> > -A INPUT -j delegate_input
> > -A FORWARD -s 192.168.3.0/24 -d 192.168.2.0/24 -i eth0 -m policy --dir in --pol \
> > ipsec --reqid 1 --proto esp -j ACCEPT
> > -A FORWARD -s 192.168.2.0/24 -d 192.168.3.0/24 -o eth0 -m policy --dir out --pol \
> > ipsec --reqid 1 --proto esp -j ACCEPT
> > -A FORWARD -s 192.168.1.0/24 -d 192.168.2.0/24 -i eth0 -m policy --dir in --pol \
> > ipsec --reqid 1 --proto esp -j ACCEPT
> > -A FORWARD -s 192.168.2.0/24 -d 192.168.1.0/24 -o eth0 -m policy --dir out --pol \
> > ipsec --reqid 1 --proto esp -j ACCEPT
> > -A FORWARD -s 192.168.3.0/24 -d 192.168.2.0/24 -i eth0 -m policy --dir in --pol \
> > ipsec --reqid 1 --proto esp -j ACCEPT
> > -A FORWARD -s 192.168.2.0/24 -d 192.168.3.0/24 -o eth0 -m policy --dir out --pol \
> > ipsec --reqid 1 --proto esp -j ACCEPT
> > -A FORWARD -s 192.168.1.0/24 -d 192.168.2.0/24 -i eth0 -m policy --dir in --pol \
> > ipsec --reqid 1 --proto esp -j ACCEPT
> > -A FORWARD -s 192.168.2.0/24 -d 192.168.1.0/24 -o eth0 -m policy --dir out --pol \
> > ipsec --reqid 1 --proto esp -j ACCEPT
> > -A FORWARD -j delegate_forward
> > -A OUTPUT -j delegate_output
> > -A delegate_forward -m comment --comment "user chain for forwarding" -j \
> > forwarding_rule
> > -A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> > -A delegate_forward -i br-lan -j zone_lan_forward
> > -A delegate_forward -i eth0 -j zone_wan_forward
> > -A delegate_forward -j reject
> > -A delegate_input -i lo -j ACCEPT
> > -A delegate_input -m comment --comment "user chain for input" -j input_rule
> > -A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> > -A delegate_input -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
> > -A delegate_input -i br-lan -j zone_lan_input
> > -A delegate_input -i eth0 -j zone_wan_input
> > -A delegate_output -o lo -j ACCEPT
> > -A delegate_output -m comment --comment "user chain for output" -j output_rule
> > -A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> > -A delegate_output -o br-lan -j zone_lan_output
> > -A delegate_output -o eth0 -j zone_wan_output
> > -A reject -p tcp -j REJECT --reject-with tcp-reset
> > -A reject -j REJECT --reject-with icmp-port-unreachable
> > -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit \
> > 25/sec --limit-burst 50 -j RETURN
> > -A syn_flood -j DROP
> > -A zone_lan_dest_ACCEPT -o br-lan -j ACCEPT
> > -A zone_lan_forward -m comment --comment "user chain for forwarding" -j \
> > forwarding_lan_rule
> > -A zone_lan_forward -m comment --comment "forwarding lan -> wan" -j \
> > zone_wan_dest_ACCEPT
> > -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port \
> > forwards" -j ACCEPT
> > -A zone_lan_forward -j zone_lan_dest_ACCEPT
> > -A zone_lan_input -m comment --comment "user chain for input" -j input_lan_rule
> > -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port \
> > redirections" -j ACCEPT
> > -A zone_lan_input -j zone_lan_src_ACCEPT
> > -A zone_lan_output -m comment --comment "user chain for output" -j \
> > output_lan_rule
> > -A zone_lan_output -j zone_lan_dest_ACCEPT
> > -A zone_lan_src_ACCEPT -i br-lan -j ACCEPT
> > -A zone_wan_dest_ACCEPT -o eth0 -j ACCEPT
> > -A zone_wan_dest_REJECT -o eth0 -j reject
> > -A zone_wan_forward -m comment --comment "user chain for forwarding" -j \
> > forwarding_wan_rule
> > -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port \
> > forwards" -j ACCEPT
> > -A zone_wan_forward -j zone_wan_dest_REJECT
> > -A zone_wan_input -m comment --comment "user chain for input" -j input_wan_rule
> > -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment Allow-DHCP-Renew \
> > -j ACCEPT
> > -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment Allow-Ping \
> > -j ACCEPT
> > -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port \
> > redirections" -j ACCEPT
> > -A zone_wan_input -j zone_wan_src_REJECT
> > -A zone_wan_output -m comment --comment "user chain for output" -j \
> > output_wan_rule
> > -A zone_wan_output -j zone_wan_dest_ACCEPT
> > -A zone_wan_src_REJECT -i eth0 -j reject
> > COMMIT
> > # Completed on Fri Feb 24 23:54:03 2017
> >
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users@lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
> >
>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic